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PREFACE 


This report maps Trend Micro’s Hybrid Cloud Security Solution to 
the HITRUST v9.1 standard, highlighting specific products in the 
solution and the level (in brackets) relevant under HITRUST v9.1. In 
addition, where relevant, specific areas under HIPAA, PCI DSS v3.2, 
GDPR, and multiple NIST frameworks are highlighted for 
applicability. 


For more information on Trend Micro’s Hybrid Cloud Security Solution, please visit 
https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html 
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01.c Privilege Management Smart Check (2) HIPAA Security Rule 


*Required for HITRUST v9.1 Certification Server Protect for Storage (2) PCI DSS v3.2 
(Page 1 of 2) Control Manager (1) NIST 











HIPAA Security Rule 


HIPAA § 164.308(a)(3)(i): Implement HIPAA-compliant policies and procedures for authorizing access to ePHI for all those permitted within the workforce 
and prevent those within the workforce who are not permitted to access ePHI. 

HIPAA § 164.308(a)(3)(ii)(A): Implement authorization and/or supervision (addressable) 

HIPAA § 164.308(a)(4)(i): Implement HIPAA-compliant policies and procedures for authorizing access to ePHI only when such access is appropriate, based 
on the user or recipient’srole 

HIPAA § 164.308(a)(4)(ii)(A): Implement isolating health care clearinghouse functions (required) 

HIPAA § 164.308(a)(4)(ii)(B): Implement access authorization (addressable) 

HIPAA § 164.308(a)(4)(ii)(C): Implement access establishment and modification (addressable) 

HIPAA § 164.308(a)(5)(ii)(C): Implement log-in monitoring (addressable) 

HIPAA § 164.312(a)(1): Implement technical policies and procedures for electronic information systems that maintain electronic protected 

health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) 

HIPAA § 164.312(a)(2)(i): Assign a unique name and/or number for identifying and tracking user identity. 

HIPAA § 164.312(a)(2)(ii): Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an 
emergency. 


PCI Data Security Standard v3.2 


7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access 


7.1.1: Define access needs for each role 

7.1.2: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities 

7.1.3: Assign access based on individual personnel’s job classification and function. 

7.1.4: Require documented approval by authorized parties specifying required privileges 

7.2: Establish an access control system(s) for systems components that restricts access based ona user’s need to know and is set to “deny all” 
unless specifically allowed. 

7.2.1: Access control system must include coverage of all system components 

7.2.2: Access controlsystem mustincludeassignmentof privilegestoindividuals based onjobclassificationandfunction 

7.2.3: Access control system must include default “deny-all” setting 

A.1.1: Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. 
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Trend Micro Offering (HITRUST level 


E Deep Security (3) 
01.cPrivilege Management Smart Check (2) HIPAA Security Rule 
*Required for HITRUST v9.1 Certification Server Protect for Storage (2) PCI DSS v3.2 
(Page 2 of 2) NIST 








Control Manager (1) 





National Institute of Standards & Technology (NIST) (2/2) 


LEVEL ONE: 
NIST Cybersecurity Frameworks 


PR.AC-4: Access permissions are managed, incorporate the principles of least privilege and separation of duties 
NIST SP 800-53 R4 AC-3: Access enforcement 


NIST SP 800-53 R4 AC-6: Least privilege 
NIST SP 800-53 R4 AC-6(1): Authorize access to security functions 


LEVEL TWO (Additional to One): NIST Cybersecurity Frameworks 
R.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes 





PR.DS-5: Protections against data leaks are implemented 


PR.PT-4: Communications and control networks are protected 
NIST SP 800-53 R4 AC-10: Concurrent session control 


NIST SP 800-53 R4 AC-2: Account management 

NIST SP 800-53 R4 AC-21: Information sharing 

NIST SP 800-53 R4 AC-3(7): Role-based access control 

NIST SP 800-53 R4 AC-6(2): Non-privileged access for nonsecurity functions. 


LEVEL THREE (Additional to Two) 
NIST Cybersecurity Frameworks 





DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events 
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established 


ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders 


PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 
NIST SP 800-53 R4 AC-6(10): Prohibit non-privileged users from executing privileged functions. 


NIST SP 800-53 R4 AC-6(5): Privileged accounts 
NISTSP800-53R4AC-6(9): Auditing use of privileged functions 
NIST SP 800-53 R4 CM-7: Least functionality 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


; : : : Deep Security (2) 
01.] Remote Diagnostic and Configuration Port Smart Check (2) HIPAA Security Rule 


Protection *Required for HITRUST v9.1Certification Server Protect for Storage (2) NIST 
(Page 1 of 1) 








Control Manager (3) 





HIPAA Security Rule 


HIPAA § 164.310(a)(2)(iii): Implement access control and validation procedures (addressable) HIPAA § 164.310(b): Implement 
policies and procedures to specify proper use of, and access to, workstations and electronic media. HIPAA § 164.310(C): 
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. 


National Institute of Standards & Technology (NIST) (2/2) 


LEVEL ONE: 


NIST Cybersecurity Frameworks 
PR.AC-2: Physical access to assets is managed and protected 


PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities 
NIST SP 800-53 R4 PE-3(1): Information system access 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools 
NIST SP 800-53 R4 CM-7: Least functionality 


NIST SP 800-53 R4MA-4: Nonlocalmaintenance 
NIST SP 800-53 R4 MA-4(2): Document nonlocal maintenance 
NIST SP 800-53 R4MA-4(3): Comparable security/sanitization 


LEVEL THREE (Additional to Two) 
NIST Cybersecurity Frameworks 





DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 


ID.AM-2: Software platforms and applications within the organization are inventoried 

ID.AM-3: Organizational communication and data flows are mapped 

PR. IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles 
(e.g. concept of least functionality) 


PR. IP-3: Configuration change control processes are in place 
NIST SP 800-53 R4 CM-7(1): Periodic review 


NIST SP 800-53 R4CM-7(2): Prevent program execution 
NISTSP 800-53 R4CM-7(4): Unauthorized software/blacklisting 
NIST SP 800-53 R4 CM-7(5): Authorized software/whitelisting 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


Deep Security (2) 


Control Manager (2) HIPAA Security Rule 
PCI DSS v3.2 
NIST 








01.n Privilege Management GDPR (EU) 


*Required for HITRUST v9.1 Certification 
(Page 1 of 1) 





EU General Data Protection Regulation (GDPR) 


GDPR Article 32(1)(a): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as 
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 
appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the 
pseudonymization and encryption of personal data; 


HIPAA Security Rule 


HIPAA § 164.310(b): Implement policies and procedures to specify proper use of, and access to, workstations and electronic media. 


PCI DSS v3.2 Subsection 


1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 


National Institute of Standards & Technology (NIST) 


LEVEL ONE: 


NIST Cybersecurity Frameworks 
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 


PR.AC-3: Remote access is managed 


PR.AC-5: Network integrity is protected 
PR.DS-5: Protections against data leaks are implemented 


PR.PT-4: Communications and control networks are protected 
NIST SP 800-53 R4 SC-7: Boundary protection 
NIST SP 800-53 R4 SC-7(5): Deny by default / allow by exception 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





DE.CM-1: The network is monitored to detect potential cybersecurity events 
PR.DS-2: Data-in-transit is protected 

PR. IP-3: Configuration change control processes are in place 

NIST SP 800-53 R4 AC-17: Remote access 

NIST SP 800-53 R4AC-17(3): Managed access control points 

NIST SP 800-53 R4 AC-2(11): Usage conditions 

NIST SP 800-53 R4 SC-7(3): Access points 

NIST SP 800-53 R4 SC-7(4): External telecommunications services 
NIST SP 800-53 R4 SC-7(7): Prevent split tunneling for remote devices 
NIST SP 800-53 R4 SC-7(8): Route traffic to authenticated proxy servers 
NIST SP 800-53 R4 SC-8: Transmission confidentiality and integrity 
PMI DSP Framework PR.DS-1:Encryption 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 








Deep Security (1) 
01.v Information Access Restriction Smart Check (1) SLIME) 
š : are i HIPAA Security Rule 
Required for HITRUST v9.1 Certification Server Protect for Storage (1) PCI DSS v3.2 
(Page 1 of 2) Control Manager (2) NIST 





EU General Data Protection Regulation (GDPR) 


GDPR Article 32(1): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as 
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 
appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 

(a) the pseudonymization and encryption of personal data; 


HIPAA Security Rule 


HIPAA § 164.308(a)(3)(i): Implement HIPAA-compliant policies and procedures for authorizing access to ePHI for all those permitted within the workforce 
and prevent those within the workforce who are not permitted to access ePHI. HIPAA § 164.308(a)(3)(ii)(A): Implement authorization and/or supervision 
(addressable) 

HIPAA § 164.308(a)(4)(i): Implement HIPAA-compliant policies and procedures for authorizing access to ePHI only when such access is appropriate, based 
on the user or recipient’srole 

HIPAA § 164.308(a)(4)(ii)(A): Implement isolating health care clearinghouse functions (required) 

HIPAA § 164.308(a)(4)(ii)(B): Implement access authorization (addressable) 

HIPAA § 164.308(a)(4)(ii)(C): Implement access establishment and modification (addressable) 

HIPAA § 164.310(b): Implement policies and procedures to specify proper use of, and access to, workstations and electronic media. 

HIPAA § 164.312(a)(1): Implement technical policies and procedures for electronic information systems that maintain electronic protected 

health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) 

HIPAA § 164.312(a)(2)(i): Assign a unique name and/or number for identifying and tracking user identity. 

HIPAA § 164.312(a)(2)(ii): Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an 
emergency. 

HIPAA § 164.312(a)(2)(iv): Implement maintenance records (addressable) 


PCI Data Security Standard v3.2 


12.3.10: For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto 


local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business 
need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. 


8.7: Allaccess to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: All 
user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability tq 
directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other 
non- application processes). 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


l T Deep Security (1) GDPR (EU) 
01.v Information Access Restriction Smart Check (1) HIPAA Security Rule 


*Required for HITRUST v9.1 Certification Server Protect for Storage (1) PCI DSS v3.2 
(Page 2 of 2) Control Manager (2) NIST 











National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

PR.AC-4: Access permissions and authorizations are managed, incorporate the principles of least privilege and separation of duties 
PR.DS-5: Protections against data leaks are implemented 


PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities 
NIST SP 800-53 R4 AC-14: Permitted actions without identification or authentication 


NIST SP 800-53 R4 AC-6: Least privilege 


LEVEL TWO (Additional to One): 
NIST Cybersecurity Frameworks 





PR.DS-1: Data-at-rest is protected 

NIST SP 800-53 R4 AC-1: Access control policy and procedures 

NIST SP 800-53 R4 AC-3: Access enforcement 

NIST SP 800-53 R4 DM-1: Minimization of personally identifiable information 
NIST SP 800-53 R4 SC-13: Cryptographic protection 

NIST SP 800-53 R4 SC-15: Collaborative computing devices 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


3 ; ; Deep Security (2) 
06.d Data Protection and Privacy of Covered Information Control Manager (2) GDPR (EU) 


*Required for HITRUST v9.1 Certification PCI DSS v3.2 
(Page 1 of 3) NIST 











GDPR Article 5(1)(f): Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection 
against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures 
GDPR Article 5(2): The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’) 

GDPR Article 6(1)(a): Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent 
to the processing of his or her personal data for one or more specific purpose. 

GDPR Article 24(1): Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for 
the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to 
demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 

GDPR Article 25(1): Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as 
well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the 
time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational 
measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner 
and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data 
subjects 

GDPR Article 25(2): The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data 
which are necessary for each specific purpose of the processing are processed. 2That obligation applies to the amount of personal data collected, the 
extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data 
are not made accessible without the individual’s intervention to an indefinite number of natural persons. 

GDPR Article 27(1): Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. 

GDPR Article 27(2): The obligation laid down in paragraph 1 of this Article shall not apply to: GDPRA 27.2.A or B GDPR Article 27(3): The 

representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the 

offering of goods or services to them, or whose behavior is monitored, are. 

GDPR Article 27(4): The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller orthe 
processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with 
this Regulation. 

GDPR Article 27(5): The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be 
initiated against the controller or the processor themselves. 

GDPR Article 32(1): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as 
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 


appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate 

GDPR Article 37(1): The controller and the processor shall designate a data protection officer in any case where: GDPRA 37.1A/B/C 

GDPR Article 37(2): Agroup of undertakings may appointa single data protection officer provided that a data protection officer is easily accessible from 
each establishment. 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


3 ; ; Deep Security (2) 
06.d Data Protection and Privacy of Covered Information Control Manager (2) GDPR (EU) 


*Required for HITRUST v9.1 Certification PCI DSS v3.2 
(Page 2 of 3) NIST 








EU General Data Protection Regulation (GDPR) (2/2) 


GDPR Article 37(3): Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several 
such authorities or bodies, taking account of their organizational structure and size. 

GDPR Article 37(4): In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing 
categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data 
protection officer may act for such associations and other bodies representing controllers or processors. 

GDPR Article 37(5): The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of 

data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 

GDPR Article 37(7): The controller or the processor shall publish the contact details of the data protection officer and communicate them tothe 
supervisory authority. 

GDPR Article 38(1): The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues 
which relate to the protection of personal data. 

GDPR Article 38(2): The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by 
providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her 
expert knowledge. 

GDPR Article 38(3): The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise 
of those tasks. 2He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. 3The data protection officer 
shall directly report to the highest management level of the controller or the processor. 

GDPR Article 38(5): The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in 
accordance with Union or Member State law. 

GDPR Article 38(6): The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and 
duties do not result in a conflict of interests. 

GDPR Article 39(1): The data protection officer shall have at least the following tasks: (GPDRA 39.1.A/B/C/D/E) 

GDPR Article 39(2): The data protection officer shallin the performance of his or her tasks have due regard to the risk associated with 

processing operations, taking into account the nature, scope, context and purposes of processing. 


PCI Data Security Standard v3.2 


3.1: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least 


the following for all cardholder data (CHD) storage: Limiting data storage amount and retention time to that which is required for legal, regulatory, 
and/or business requirements Specific retention requirements for cardholder data Processes for secure deletion of data when no longer needed 
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. 

3.4: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following 
approaches: One-way hashes based on strong cryptography, (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the 
truncated segment of PAN) Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes 
and procedures. 

3.4.1: If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently 
of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network 
login credentials). Decryption keys must not be associated with user accounts 
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HITRUST Standard Trend Micro Offering (HITRUST level) Additional Frameworks 
y : y Deep Security (2) 
06.d Data Protection and Privacy of Covered Information Control Manager (2) GDPR (EU) 


*Required for HITRUST v9.1 Certification 
(Page 3 of 3) 


PCI DSS v3.2 
NIST 





National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

ID. GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed 
PR.DS-1: Data-at-rest is protected 


PR.DS-2: Data-in-transit is protected 
NIST SP 800-53 R4 AR-1: Governance and privacy program 


NIST SP 800-53 R4 AR-2: Privacy impact and riskassessment 

NIST SP 800-53 R4 SC-12(1): Cryptographic key establishment and managementavailability 
NIST SP 800-53 R4 SC-28: Protection of information at rest 

NIST SP 800-53 R4 SC-28(1): Cryptographic protection 


LEVEL TWO (Additional to One): 
NIST SP 800-53 R4 SI-12: Information handling and retention 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


Deep Security (2) 
Control Manager (2) HIPAA Security Rule 
PCI DSS v3.2 
NIST 





06.g Compliance with Security Policies and Standards 


*Required for HITRUST v9.1 Certification 
(Page 1 of 1) 





HIPAA Security Rule 


HIPAA § 164.308(a)(1)(ii)(D): Implement information system activity review(s) 

HIPAA § 164.308(a)(2): Designate a HIPAA compliance security official who is responsible for developing and implementing the data center’s security 
policies and procedures. 

HIPAA § 164.308(a)(8): Perform a periodic assessment of how well the data center’s security policies and procedures meet the requirements of the 
Security Rule. 


PCI Data Security Standard v3.2 


12.11: Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and 
operational procedures. Reviews must cover the following processes: Daily log reviews Firewall rule-set reviews Applying configuration standards to new 
systems Responding to security alerts Change management processes 

12.11.1: Additional requirement for service providers only: Maintain documentation of quarterly review process to include: Documenting results of the 
reviews Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program 


National Institute of Standards & Technology (NIST) 


LEVEL ONE: 


NIST Cybersecurity Frameworks 

DE. DP-1: Roles and responsibilities for detection are well defined to ensure accountability 
DE. DP-4: Event detection information is communicated 

ID.RA-6: Risk responses are identified and prioritized 

NISTSP800-53R4AR-4: Privacy monitoring and auditing 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 
NIST SP 800-53 R4 CA-1: Security assessments and authorization policies and procedures 

NIST SP 800-53 R4 CA-7: Continuous monitoring 

NIST SP 800-53 R4CA-7(1): Independent assessments 

NIST SP 800-53 R4 RA-5: Vulnerability scanning 
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Hybrid Cloud Security Solution 





Trend Micro Offering (HITRUST level) Additional Frameworks 
, . Deep Security (2) 
06.h Technical Compliance Checking Smart Check (2) HIPAA Security Rule 
*Required for HITRUST v9.1 Certification Server Protect for Storage (1) NIST 


(Page 1 of 1) Control Manager (2) 





HIPAA Security Rule 


HIPAA § 164.308(a)(1)(ii)(D): Implement information system activity review(s) 
HIPAA § 164.308(a)(8): Perform a periodic assessment of how well the data center’s security policies and procedures meet the requirements of 
the Security Rule. 


National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

DE.CM-8: Vulnerability scans are performed 

ID.RA-1: Asset vulnerabilities are identified and documented 

ID.RA-6: Risk responses are identified and prioritized 

PR. IP-12: A vulnerability management plan is developed and implemented 


RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks 
NIST SP 800-53 R4 CA-2: Security assessments 


LEVEL TWO (Additional to One): 
NIST SP 800-53 R4 CA-2(2): Specialized assessments 
NIST SP 800-53 R4 CA-7: Continuous monitoring 
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Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 


Deep Security (2) 
Smart Check (2) HIPAA Security Rule 
*Required for HITRUST v9.1 Certification Server Protect for Storage (2) PCI DSS v3.2 


(Page 1 of 2) Control Manager (2) EA 





08.b Physical Entry Controls 





HIPAA Security Rule 


HIPAA § 164.310(a)(1): Limit physical access to the data center facilities while ensuring that authorized access is allowed. 

HIPAA § 164.310(a)(2)(iii): Implement access control and validation procedures (addressable) 

HIPAA § 164.310(b): Implement policies and procedures to specify proper use of, and access to, workstations and electronic media. 
HIPAA § 164.310(C): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. 


PCI Data Security Standard v3.2 


9.1: Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment 

9.2: Develop procedures to easily distinguish between onsite personnel and visitors, to include: Identifying onsite personnel and visitors (for 

example, assigning badges) Changes to access requirements Revoking or terminating onsite personnel and expired visitor identification (such as ID 
badges). 

9.3: Control physical access for onsite personnel to sensitive areas as follows: Access must be authorized and based on individual job function. Access is 
revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. 

9.4: Implement procedures to identify and authorize visitors. 

9.4.1: Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained. 

9.4.2: Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel. 
9.4.3: Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration. 

9.4.4: A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder 


data is stored or transmitted. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. 
Retain this log for a minimum of three months, unless otherwise restricted by law 
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08.b Physical Entry Controls 





National Institute of Standards & Technology (NIST) (2/2) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events 
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 
DE. DP-2: Detection activities comply with all applicable requirements 

PR.AC-2: Physical access to assets is managed and protected 

NIST SP 800-53 R4 MA-2: Controlled maintenance 

NIST SP 800-53 R4 PE-2: Physical access authorizations 

NIST SP 800-53 R4 PE-3: Physical access control 

NIST SP 800-53 R4 PE-8: Visitor access records 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 


RS.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams 
NIST SP 800-53 R4 PE-6: Monitoring physical access 
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HIPAA Security Rule 


HIPAA § 164.310(a)(1): Limit physical access to the data center facilities while ensuring that authorized access is allowed. 
HIPAA § 164.310(a)(2)(ii): Implemented facility security plan (addressable) 
HIPAA § 164.310(a)(2)(iii): Implement access control and validation procedures (addressable) 


National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

PR. IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met 
NIST SP 800-53 R4 PE-1: Physical and environmental protection policy and procedures 

NIST SP 800-53 R4 PE-13: Fire protection 

NIST SP 800-53 R4 PE-13(1): Detection devices/systems 


LEVEL TWO (Additional to One): 
NIST SP 800-53 R4 AT-3(1): Role-based security training: environmental controls 
NIST SP 800-53 R4 PE-13(3): Automatic fire suppression 
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HIPAA Security Rule 


HIPAA § 164.308(b)(1): A covered entity or business associate may permit a business associate to create, receive, maintain, or transmit ePHI on 

the covered entity’s behalf only if the covered entity obtains satisfactory assurances in the form of a written contract or other agreement. 

HIPAA § 164.308(b)(3):Documentthesatisfactory assurances required by paragraph (b)(1) or(b)(2) ofthis section through a written contract or other 
arrangement with the business associate that meets the applicable requirements of § 164.314(a). 

HIPAA § 164.314(a)(1): The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), 
or (a)(2)(iii) of this section, as applicable. 

HIPAA § 164.314(a)(2)(ii): In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic 
protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a 
contract or other arrangement that complies with this section; 


National Institute of Standards & Technology (NIST) 


LEVEL ONE 

NIST Cybersecurity Frameworks 

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events 

ID.AM-4: External information systems are catalogued Cybersecurity roles and responsibilities for the entire workforce and third-party 
stakeholders are established 

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities 

PR.PT-4: Communications and control networks areprotected 

NIST SP 800-53 R4 CA-3: System interconnections 

NIST SP 800-53 R4 SA-9: External information system services 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 


DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 

ID.AM-3: Organizational communication and data flows are mapped 

ID. GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed. 
NIST SP 800-53 R4 CA-3(5): Restrictions on external system connections 

NIST SP 800-53 R4 SA-9(2): Identification of functions/ports/protocols/services 
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EU General Data Protection Regulation (GDPR) 


GDPR Article 32(1)(a): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing 
as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 
appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the 
pseudonymization and encryption of personal data; 


GDPR Article 32(1)(b): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as 
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 
appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (b) the ability 
to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 


HIPAA Security Rule 


HIPAA § 164.312(a)(2)(i): Assign a unique name and/or number for identifying and tracking user identity. 

HIPAA § 164.312(c)(1): Implement policies and procedures to protect ePHI from alteration or destruction in an unauthorized manner. 

HIPAA § 164.312(c)(2): Establish mechanisms to authenticate those seeking access to ePHI (addressable). 

HIPAA § 164.312(d): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. 

HIPAA § 164.312(e)(1): Implement technical security measures to guard against unauthorized access or manipulation to ePHI that is being transmitted 
over an electronic communications network. 

HIPAA § 164.312(e)(2)(i): Implement security measures to ensure that electronically transmitted ePHI is not modified without detection until disposed of 
(addressable) 

HIPAA § 164.312(e)(2)(ii): Establish a mechanism to encrypt ePHI whenever it is deemed appropriate (addressable) 


PCI Data Security Standard v3.2 (1/2 


1.1: Establish and implement firewall and router configuration standards that include the following: 


1.1.1: A formal process for approving and testing all network connections and changes to the firewall and router configurations 

1.1.2: Current network diagram that identifies all connections between the cardholder data environment and other networks, including any 
wireless networks 

1.1.3: Current diagram that shows all cardholder data flows across systems and networks 

1.1.4: Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone 
1.1.5: Description of groups, roles, and responsibilities for management of network components 

1.1.6: Documentation of business justification and approval for use of allservices, protocols, and ports allowed, including documentation of 
security features implemented for those protocols considered to be insecure. 

1.1.7: Requirement to review firewall and router rule sets at least every six months 

(Continued next page....) 
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PCI Data Security Standard v3.2 (2/2) 


1.2: Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder 
data environment. 

1.2.2: Secure and synchronize router configuration files. 

1.2.3: Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if 
trafficis necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. 
1.3: Prohibit direct public access between the Internet and any system component in the cardholder data environment. 

1.3.1:lmplementa DMZtolimitinboundtrafficto only system components that provide authorized publicly accessible services, protocols, and ports. 
1.3.2: Limit inbound Internet traffic to IP addresses within the DMZ. 

1.3.3: Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. 

1.3.4: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. 

1.3.5: Permit only “established” connections into the network. 

1.3.6: Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and 

other untrusted networks. 

1.3.7: Do not disclose private IP addresses and routing information to unauthorized parties. 

11.1: Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized 
wireless access points on a quarterly basis. 

11.4: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the 
perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected 
compromises 

2.1.1: For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults 
at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. 

4.1.1: Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to 
implement strong encryption for authentication and transmission. 


9.1.3:Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and 
telecommunication lines 


National Institute of Standards & Technology (NIST) (1/2) 


LEVEL ONE: 
NIST Cybersecurity Frameworks 


DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 

DE.CM-1: The network is monitored to detect potential cybersecurity events 

ID.AM-3: Organizational communication and data flows are mapped 

PR.DS-2: Data-in-transit is protected 

PR.DS-5: Protections against data leaks are implemented 

PR. IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles 
(e.g. concept of least functionality) 

NIST SP 800-53 R4 AC-18: Wireless access 

NIST SP 800-53 R4AC-18(1): Authentication and encryption 

NIST SP 800-53 R4 SI-4: Information system monitoring 
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National Institute of Standards & Technology (NIST) (2/2) 


LEVEL TWO (Additional to One): 
NIST Cybersecurity Frameworks Subsections 





DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes 
PR.AC-5: Network integrity is protected 

NIST SP 800-53 R4 AC-17: Remote access 

NISTSP 800-53 R4CA-3:System interconnections 

NIST SP 800-53 R4 CM-3: Configuration change control 

NIST SP 800-53 R41A-3: Device identification and authentication 

NIST SP 800-53 R4 SC-19: Voice over internet protocol 


NIST SP 800-53 R4 SC-20: Secure name/address resolution service (authoritative source) 
NIST SP 800-53 R4 SC-7: Prevent split tunneling for remote devices 

NIST SP 800-53 R4 SC-7(5): Deny by default/allow by exception 

NIST SP 800-53 R4 SC-8: Transmission confidentiality and integrity 

NIST SP 800-53 R4 SC-8(1): Cryptographic or alternate physical protection 

NIST SP 800-53 R4 SC-8(2): Pre/post transmission handling 
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HIPAA Security Rule 


HIPAA § 164.308(a)(5)(ii)(C): Implement log-in monitoring (addressable) HIPAA § 164.312(b): Implement hardware, software, and/or procedural 
mechanisms that record and examine activity in information systems that contain or use ePHI. 


PCI Data Security Standard v3.2 


10.1: Implement audit trails to link all access to system components to each individual user 

10.2: Implement automated audit trails for all system components to reconstruct the following events: 

10.2.1: All individual user accesses to cardholder data 

10.2.2: All actions taken by any individual with root or administrative privileges 

10.2.4: Invalid logical access attempts 

10.2.5: Use of and changes to identification and authentication mechanisms— including but not limited to creation of new accounts and elevation 
of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges 

10.2.6: Initialization, stopping, or pausing of the audit logs 

10.2.7: Creation and deletion of system-level objects 

10.3.1: Record audit trail entries for user identification. 

10.3.2: Record audit trail entries for type(s) of event. 

10.3.3: Record audit trail entries for date and time. 

10.3.4: Record audit trail entries for success or failure indication. 

10.3.5: Record audit trail entries for origination of event. 

10.3.6: Record audit trail entries for identity or name of affected data, system component, or resource 

10.3.7: Record audit trail entries for system or component 

10.5: Secure audit trails so they cannot be altered. 

10.7: Retain audit trail history for at least one year, witha minimum of three months immediately available for analysis (for example, online, archived, 
or restorable from backup) 


A.1.3: Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS Requirement 10. 
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National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Framework 

DE.CM-1: The network is monitored to detect potential cybersecurity events 

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events 

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 
NIST SP 800-53 R4 AR-4: Privacy monitoring and auditing 

NIST SP 800-53 R4 AU-11: Audit record retention 

NIST SP 800-53 R4 AU-3: Content of audit records 

NIST SP 800-53 R4 AU-8: Time stamps 

NIST SP 800-53 R4 AU-9: Protection of audit information 


LEVEL TWO (Additional to One): 
NIST Cybersecurity Frameworks 





DE.CM-1: The network is monitored to detect potential cybersecurity events 


NIST SP 800-53 R4 AC-6(9): Auditing use of privileged functions 
NIST SP 800-53 R4 AU-2: Audit events 

NISTSP 800-53 R4AU-2(3): Review and updates 

NIST SP 800-53 R4 AU-5: Response to audit processing failures 
NIST SP 800-53 R4 AU-5(4): Shutdown on failure 

NIST SP 800-53 R4 AU-9(4): Access by subset of privileged users 
NIST SP 800-53 R4 AU-9(5): Dual authorization 


LEVEL THREE (Additional toTwo): 
NIST SP 800-53 R4 AC-2(4): Automated audit actions 
NISTSP 800-53 R4AU-3(1):Additional audit information 
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HIPAA Security Rule 


HIPAA § 164.308(a)(1)(ii)(D): Implement information system activity review(s) 

HIPAA § 164.308(a)(3)(ii)(A): Implement authorization and/or supervision (addressable) 

HIPAA § 164.308(a)(4)(i): Implement HIPAA-compliant policies and procedures for authorizing access to ePHI only when such access is appropriate, based 
on the user or recipient’srole 

HIPAA § 164.308(a)(4)(ii)(B): Implement access authorization (addressable) 

HIPAA § 164.308(a)(5)(ii)(B): Implement protection from malicious software (addressable) 

HIPAA § 164.308(a)(5)(ii)(C): Implement log-in monitoring (addressable) 

HIPAA § 164.312(b): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that 
contain or use ePHI. 


PCI Data Security Standard v3.2 


10.6: Review logs and security events for all system components to identify anomalies or suspicious activity. 

10.6.1: Review the following at least daily: All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all 
critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection 
systems/intrusion-prevention systems (IDS/ IPS), authentication servers, e-commerce redirection servers, etc.). 

10.6.2: Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by 

he organization’s annual risk assessment. 

10.6.3: Follow up exceptions and anomalies identified during the review process. 

10.8: Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control 


systems, including but not limited to failure of: Firewalls IDS/IPS FIM Anti-Virus Physical access controls Logical access controls Audit logging mechanisms 


Segmentation controls (if used) 

10.8.1: Additional requirementfor service providers only: Respond to failures of any critical security controlsinatimely manner. Processes for 
responding to failures in security controls must include: Restoring security functions Identifying and documenting the duration (date and time start to 
end) of the security failure Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to 
address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine 
whether further actions are required asa result of the security failure Implementing controls to prevent cause of failure from reoccurring Resuming 
monitoring of security controls 

11.5: Deploy achange-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including 
changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file 
comparisons at least weekly 





Standards Equivalency Report | 22 fy ED LOGY 
Prepared by Meditology Services ENL SERVICES 


Standards Equivalency Report 





Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 





Deep Security (3) 
09.ab Monitoring System Use Smart Check (3) HIPAA Security Rule 
*Required for HITRUST v9.1 Certification Server Protect for Storage (3) PCI DSS v3.2 
(Page 2 of 3) Control Manager (3) NIST 





National Institute of Standards & Technology (NIST) (1/2) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

DE. DP-2: Detection activities comply with all applicable requirements 

DE. DP-3: Detection processes are tested 

DE-AE-3: Event data are collected and correlated from multiple sources and sensors 
DE-DP-5: Detection processes are continuously improved 


ID. GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed 


LEVEL TWO (Additional to One) 
NIST Cybersecurity Frameworks 





DE.AE-2: Detected events are analyzed to understand attack targets and methods 

DE.CM-1: The network is monitored to detect potential cybersecurity events 

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 
RS.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams 
NIST SP 800-53 R4 AR-4: Privacy monitoring and auditing 

NIST SP 800-53 R4 AU-2: Audit events 

NIST SP 800-53 R4 AU-3: Content of audit records 

NIST SP 800-53 R4 AU-7: Audit reduction and report generation 

NIST SP 800-53 R4 AU-7(1): Automatic processing 

NIST SP 800-53 R4 PE-6: Monitoring physical access 

NIST SP 800-53 R4SI-4: Information system monitoring 

NIST SP 800-53 R4 SI-4(2): Automated tools for real-time analysis 


LEVEL THREE (Additional to Two) 

NIST Cybersecurity Frameworks 

DE.CM-4: Malicious code is detected 

NDE.DP-2: Detection activities comply with all applicable requirements 





DE. DP-4: Event detection information is communicated 

ID.RA-1: Asset vulnerabilities are identified and documented 
RS.AN-1: Notifications from detection systems are investigated 
RS.CO-2: Incidents are reported consistent with established criteria 


(Continued on next page...) 
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National Institute of Standards & Technology (NIST) (2/2) 
LEVEL THREE (Cont.) 
NIST SP 800-53 R4 AC-2(12): Account monitoring / atypical use 


NIST SP 800-53 R4 AU-6: Audit review, analysis, and reporting 

NIST SP 800-53 R4 AU-6(1): Process integration 

NIST SP 800-53 R4 AU-6(3): Correlate audit repositories 

NIST SP 800-53 R4 AU-6(9): Correlation with information from nontechnical sources 
NIST SP 800-53 R4 SI-3: Malicious code protection 


NIST SP 800-53 R4 SI-4(1): System-wide intrusion detection systems 

NIST SP 800-53 R4 SI-4(3): Automated tool integration 

NIST SP 800-53 R4 SI-4(4): Inbound and outbound communications traffic 
NIST SP 800-53 R4 SI-4(5): System-generated alerts 

NIST SP 800-53 R4 SI-7(2): Software, firmware, and information integrity 
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HIPAA Security Rule 


HIPAA § 164.308(a)(8): Perform a periodic assessment of how well the data center’s security policies and procedures meet the requirements of the 
Security Rule. 


PCI Data Security Standard v3.2 


11.2: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. 

11.2.1: Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in 
accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. 

11.2.2: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards 
Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. 

11.2.3: Qualified personnel perform internal and external scans, and rescans as needed, after any significant change. 

11.3: Implement a methodology for penetration testing that includes the following: Is based on industry-accepted penetration testing approaches 
(for example, NISTSP800- 115) Includes coverage forthe entire CDE perimeter and critical systems Includes testing from bothinside and outsidethe 
network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, ata 
minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network 
functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies 
retention of penetration testing results and remediation activities results. 

11.3.1: Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such 

as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 

11.3.2: Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such 

as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). 

11.3.3: Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. 

11.3.4: If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to 
segmentation controls/ methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from 
systemsinthe CDE. 

11.3.4.1: For service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls atleast 
every six months and after any changes to segmentation controls/methods. 

2.2: Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are 
consistent with industry accepted system hardening standards. 

2.2.2: Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 

2.2.3: Implement additional security features for any required services, protocols, or daemons that are considered to be insecure 

6.1: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking 
(for example, as high, medium, or low) to newly discovered security vulnerabilities. 

6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. 
Install critical security patches within one month of release 

6.4.5: Changecontrol procedures mustincludethe following: 

6.4.5.1: Documentation ofimpact. 

6.4.5.2: Documented change approval by authorized parties. 


6.4.5.3: Functionality testing to verify that the change does not adversely impact the security of the system. 
6.4.5.4: Back-out procedures. 
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10.m Control of Technical Vulnerabilities Smart Check (2) HEA St ul 


*Required for HITRUST v9.1 Certification Server Protect for Storage (3) PCI DSS v3.2 
(Page 2 of 2) NIST 





Control Manager (2) 





National Institute of Standards & Technology (NIST) 


LEVEL ONE: 

NIST Cybersecurity Frameworks 

ID.RA-1: Asset vulnerabilities are identified and documented 

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources 
ID.RA-4: Potential business impacts and likelihoods are identified 

ID.RA-6: Risk responses are identified and prioritized 

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks 
NIST SP 800-53 R4 RA-5: Vulnerability scanning 


LEVEL TWO (Additional to One): 
NIST Cybersecurity Frameworks 





DE.CM-8: Vulnerability scans are performed 

DE. DP-5: Detection processes are continuously improved 

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established 

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk 

PR. IP-12: A vulnerability management plan is developed and implemented 

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 

RS.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams 
NIST SP 800-53 R4 CM-6: External service provider activity is monitored to detect potential cybersecurity events 

NIST SP 800-53 R4 CM-7: Least functionality 

NIST SP 800-53 R4 SI-5: Security alerts, advisories, and directives 


LEVEL THREE (Additional to Two): 
NIST Cybersecurity Frameworks 





PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities 
NIST SP 800-53 R4 CA-2: Security assessments 

NIST SP 800-53 R4 CA-7: Continuous monitoring 

NIST SP 800-53 R4 CA-8: Penetration testing 

NIST SP 800-53 R4RA-5(1): Update tool capability 

NIST SP 800-53 R4 RA-5(2): Update by frequency / prior to new scan / when identified 
NISTSP800-53R4RA-5(4): Discoverableinformation 

NIST SP 800-53 R4 RA-5(5): Privileged access 

NIST SP 800-53 R4 SI-2: Flaw remediations 

NIST SP 800-53 R4 SI-2(1): Central management 

NIST SP 800-53 R4 SI-2(2): Automated flaw remediation status 





Standards Equivalency Report | 26 fy ED LOGY 
Prepared by Meditology Services ENL SERVICES 


Standards Equivalency Report 





Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 





P P Deep Security (3) 
00.a Information Security Management Program Smart Check (3) GDPR (EU) 
*Required for HITRUST v9.1 Certification Server Protect for Storage (3) HIPAA Security Rule 


(Page 1 of 2) NIST 


Control Manager (3) 





EU General Data Protection Regulation (GDPR) 


GDPR Article 24(1): Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the 
rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to 
demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary. 


GDPR Article 25(1): Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as 
well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the 
time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational 
measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner 
and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data 
subjects 


GDPR Article 32(1): Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as 
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement 
appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the 
pseudonymization and encryption of personal data; 


HIPAA Security Rule 
HIPAA § 164.308(a)(1)(i): Risk analysis (required) HIPAA § 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and 
vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity 


HIPAA § 164.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply 
with §164.306(a). 

HIPAA § 164.308(a)(8): Evaluation 

HIPAA § 164.312(a)(2)(ii): Emergency access procedure (required) 

HIPAA § 164.316(b)(1): Standard: documentation 

HIPAA § 164.316(b)(2)(iii): Make documentation available to those persons responsible for implementing the procedures to which the documentation 
pertains. 
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Standards Equivalency Report 





Hybrid Cloud Security Solution 
Trend Micro Offering (HITRUST level) 





P P Deep Security (3) 
00.a Information Security Management Program Smart Check (3) GDPR (EU) 
*Required for HITRUST v9.1 Certification Server Protect for Storage (3) HIPAA Security Rule 


(Page 2 of 2) NIST 


Control Manager (3) 





National Institute of Standards & Technology (NIST) 


LEVEL ONE): 
NIST Cybersecurity Framework 


ID. GV-1: Organizational cybersecurity policy is established and communicated. 
ID. GV-4: Governance and risk management processes address cybersecurity risks. 
NIST SP 800-53 R4 PM-1: Information security program plan. 


LEVEL TWO (Additional to One): 
NIST Cybersecurity Frameworks 
PR. IP-7: Protection processes are improved 





LEVEL THREE (Additional to Two): 

NIST Cybersecurity Frameworks 

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established 
PR.AT-1: All users are informed and trained 





PR.AT-2: Privileged users understand their roles and responsibilities 

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities 
PR.AT-4: Senior executives understand their roles and responsibilities 

PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities 

NIST SP 800-53 R4 PM-13: Information security workforce 

NIST SP 800-53 R4 PM-2: Senior information security officer 
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